hellow533 wrote:I also noticed this however limits users, as they cannot access all internal network resources.

Users should still be able to transfer clipboard data seamlessly, and share serial and peripheral devices to the host (I believe this all requires activex controls).

As far as I know, unless I'm mistaken, they cannot share peripheral devices to the host through a tunnel, they can only access whatever they are tunneling to, whereas with a standard remote desktop connection they can access all other devices on the network. I believe SSH is what supports that. I believe I read he is using Windows 2008 server, which supports both SSH and IPSec.

However, I believed this was beyond OP's comprehension. I told him to just made a blacklist. Attackers are added to the blacklist when there are x amount of failed entries to the network within x amount of time. They would then have to manually be removed. That means they cannot just run a bunch of guesses on the network and move on, but would be limited to let's say 5. 5 attempts within x minutes = IP ban from network. Even with multiple attackers from multiple botnets, each botnet would then be banned after so many failures.

hellow533 wrote:As far as I know, unless I'm mistaken, they cannot share peripheral devices to the host through a tunnel, they can only access whatever they are tunneling to, whereas with a standard remote desktop connection they can access all other devices on the network. I believe SSH is what supports that. I believe I read he is using Windows 2008 server, which supports both SSH and IPSec.

However, I believed this was beyond OP's comprehension. I told him to just made a blacklist. Attackers are added to the blacklist when there are x amount of failed entries to the network within x amount of time. They would then have to manually be removed. That means they cannot just run a bunch of guesses on the network and move on, but would be limited to let's say 5. 5 attempts within x minutes = IP ban from network. Even with multiple attackers from multiple botnets, each botnet would then be banned after so many failures.

To be honest, I haven't used the built-in IPSec for Windows 2008, so it's nice to know that's available.

Anyway, the TSG just proxies the connection, on top of that they user can be running RDP 6.1 or higher, which allows for limited resource redirection. For example, using the TS easy print driver on an RDP 6.1 enabled client, you can absolutely print on a client printer while connected to a remote session via TSG.